

CNE End Point Requirements 


CATEGORY 

O Experir™ 
O Refinemer 
O Bug Fix 
O all 


REQ TYPE 

O Capability 
O Convergenc 
O Query 
O Taskir 
O Viewe 
Oall 


PRIORITY 

O Priority 
O Priority 

O Priority 
oall 




This spreadsheet contains the collated CNE user requirements 
captured bv^^^^^^^Has the Endpoint initiative lead. 

To cut down the amount of information visible select the 
material you want to see via the Radio Buttons and then 
press "GO". 


Requirements are divided into a number of CATEGORIES 
identifying the amount of INNOVATION required to satisfy the 
requirement 

Requirements are labelled by TYPE - referring to the primary issue 
associated with the requirement 

Requirements are PRIORITISED - Priority 1 being the highest 
(essential) and Priority 3 the lowest (nice to have) 


REQUIREMENTS 


PLANNED DEVELOPMENT WORK 


Category 


Type 


Priority 


Number 


Description 


Individual Tasks - with RAG status 


Refine 


Capability 


1 


Cap. 01 




Request document / file properties and task on the basis of 
the same (author/etc) 




STARGATE (Manual authorisation tool) 


Experiment 


Capability 


1 


Cap. 02 


■ Detect internal network activity (volumes and movement of 1 
■specific data types) 


U 




Experiment 


Capability 


1 


Cap. 03 




[Low latency presence data for use in tip-off collection 


n 




Experiment 


Capability 


1 


Cap. 04 




Remote indexinq 


□ 


|ROCK OPERA remote indexinq 


Experiment 


Capability 


1 


Cap. 05 




Use API type functions of operating systems like their 
indexing 




' 


Experiment 


Capability 


2 


Cap. 06 




characterisation of unallocated or deleted space - potentially 
a source of intelligence on internet-facing target machines 




STARGATE (Daredevil remote forensics pluqin) 




Quincey plugin 


Experiment 


Capability 


2 


Cap.07 


■ Destination IP address from messenger client packet capture 






Experiment 


Capability 


2 


Cap. 08 




PCS - capability against mobile devices 




Research in CNE and ICTR 


Experiment 


Capability 


2 


Cap. 09 




ability to list programs and applications commonly used on 
the machine (pulled from Registry and program files?) - and 
to monitor frequency of use 






Experiment 


Capability 


2 


Cap. 10 


■Follow/monitor movement of files / movement of users (key 
■to identifying the valuable parts of a network) 




[STARGATE (network summary plugin) 




[STARGATE (Endpoint data characterisation) 


Experiment 


Capability 


2 


Cap. 11 




ReiWfi^feli^fiS^^^^rvester (with logics applied to 
implant on USB to auto- retrieve data). 




Refine 


Capability 


2 


Cap. 12 




web browsing content (html, cookies etc) 






Experiment 


Capability 


3 


Cap. 13 


■ change the registry (eg browser stain) 






Experiment 


Capability 


3 


Cap. 14 


■ Collect the first line of the document text / the first 'n' 
■characters. 







Experiment 


Capability 


3 


Cap. 15 


l 

■ 


CNA / CND profiling - Be able to search on hacking 
profile/signature so can spot attacks leaving a box. Need 


1 


(STARGATE (Endpoint data characterisation) 


Experiment 


Capability 


3 


Cap. 16 


Remote hashing of files 


m 




Experiment 


Convergence 


1 


Conv.01 




Data must be of a format which enables it to be merged with 
data from other sources / tools in any future converged 
platform. E.g. putting internet selector (TDI) related material 
into passive events systems and auto-correlating activity 
from a CNE implant to the same intercept collected in 
passive 




STARGATE ROADMAP iteration 7-10 (corporate framework, 
native viewing, CMS, convergence) 


Experiment 


Convergence 


1 


Conv.02 




Metadata must be exportable to other relevant tools. 




STARGATE (Graphical query enqine) 


Experiment 


Convergence 


1 


Conv.03 




Geolocation information Google earth /C.O.R.E. / K.I.M 




STARGATE ROADMAP iteration 7-10 (corporate framework, 
native viewing, CMS, convergence) 


Experiment 


Convergence 


2 


Conv.04 


■ 


Abilitv to compare EndPoint data with JTRIG forensic data & 




CNE metadata into the CMS 


Experiment 


Convergence 


2 


Conv.05 


i 

■ 

■■i 


Develop a fingerprint concept (includes characterisation) - 
application profiles exportable to search in XKEYSCORE 


M 


(STARGATE (Endpoint data characterisation) 


STARGATE (Machine survey/summary component) 


Experiment 


Convergence 


2 


Conv.06 


trackin g 

standards, shareable with other tools to enable cross 
querying across the 5-eyes. 




STARGATE ROADMAP iteration 7-10 (corporate framework, 
native viewing, CMS, convergence) 


Refine 


Convergence 


2 


Conv.07 




EndPoint data should send / generate metadata for the new 
(content Metadata Store (CMS) 




CNE metadata into the CMS 




GOLDEN EYE 2 


Experiment 


Convergence 


2 


Conv.08 


1 


(Enrichment of EndPoint content and metadata from other 
tools/databases (BroadOak, UTT, JTRIG, Globalreach, 
piobal Surge, THUGGEE) 




STARGATE ROADMAP iteration 7-10 (corporate framework, 
native viewing, CMS, convergence) 




LOOKING GLASS 


Experiment 


Convergence 


2 


Conv.09 




Events data containing End Point internet activity material 
e.g. this public IP has been seen in MARINA. 




STARGATE ROADMAP iteration 7-10 (corporate framework, 
native viewing, CMS, convergence) 


Experiment 


Convergence 


2 


Conv.10 




Flexibility to keep pace with tools developments, 
compatibility with others' efforts, and accessible to e.g. ICTR 
(Applied Research) 




Eclipse platform/framework 


Experiment 


Convergence 


2 


Conv.ll 


1 


IPSC tipping to EREPO / other passive collection (see 
(tasking requirement) 




STARGATE (Alerting Components) 


Experiment 


Convergence 


2 


Conv.13 




Data feeds in & out of Endpoint: Radio values and MAC 
addresses / IP addresses - take data to, and lookup from 
Global Surge / Roadbed / Overhead / wifi mapping / 




STARGATE (Machine survey/summary component) 




STARGATE ROADMAP iteration 7-10 (corporate framework, 
native viewing, CMS, convergence) 


Experiment 


Convergence 


2 


Conv.16 




rfTSfSi I e s 

web mail cookie as an Active User entry/ IP & Datetime in 
HAUSTORIUM/MARINA/(via Shareown?)/MUTANT BROTH 
or other corporate solutions 




STARGATE ROADMAP iteration 7-10 (corporate framework, 
native viewing, CMS, convergence) 


Experiment 


Convergence 


3 


Conv.17 




Ability to view collected items with reports that have been 
written from them - MOON RAKER (assume this would be 
done using the source record for reports) 




STARGATE ROADMAP iteration 7-10 (corporate framework, 
native viewing, CMS, convergence) 


Refine 


Convergence 


3 


Conv.19 




Be able to launch queries in other SIGINT systems from 
within EndPoint e.g. Send identified selectors to events tools 




STARGATE ROADMAP iteration 2 




LOOKING GLASS 


Experiment 


Convergence 


3 


Conv.2Q 




Carbon Rod - show me a man in the middle between this 
End Point network and this website. (Vulnerability 




MUGSHOT 




STARGATE (Machine survey/summary component) 













assessment) 




STARGATE (Network visualisation) 




STARGATE (network summary plugin) 




HIGH NOTE (CNETD tools) 




NAC Network Visualisation work 


Experiment 


Convergence 


3 


Conv.21 


Ilf the network contains wireless bridges, show me pictures of 
Bwhere that RF has been seen). Having the ability to connect 




STARGATE (Network visualisation) 




NAC Network Visualisation work 


Experiment 


Convergence 


3 


r 


Knowledge Base. Feed BROAD 
loAK and other summarisation tools. 


■ 


STARGATE ROADMAP iteration 7-10 (corporate framework, 
native viewing, CMS, convergence) 


ISTARGATE (Endpoint data characterisation) 


Experiment 


Convergence 


3 


Conv.25 




Link out to (mirrored) open source resources such as Web / 
Wiki 1 - look up machine / hardware info E.g. This MAC 


n 


GOLDEN EYE 2 


u 


|hIGH NOTE (CNE TD tools) 


Experiment 


Convergence 


3 


Conv.26 




BMfWIHfflffHnd router configs 
in relation to your network - noting any outbound traceroutes 
that cross an EREPO access. 


■ 


STARGATE (Task management component) 


HIGH NOTE (CNETD tools) 




STARGATE (Network visualisation) 


Refine 


Query 


1 


Qry.01 




Result summaries - users need to be able to see results and 
refine/summarise the dataset prior to launching further 
analytics/viewing formats. Also histogram, count, filter 




Migrate STARGATE plugins to LOOKING GLASS 




STARGATE (Graphical query engine) 




LOOKING GLASS 


Refine 


Query 


1 


Qry.02 




time, using Boolean expressions. 




Migrate STARGATE plugins to LOOKING GLASS 




CNE metadata into the CMS 




STARGATE (Graphical query engine) 




LOOKING GLASS 


Experiment 


Query 


1 


Qry.03 




Query using indexed values from files (indexed remotely or 
locally) with ability to apply Boolean logic, including foreign 




ROCK OPERA remote indexing 




UDAQ2 


Refine 


Query 


1 


Qry.04 




the CNE datastore 

* target user 

* machine/folder 
*time 

* most recently viewed files 




STARGATE (Graphical query engine) 


Refine 


Query 


1 


Qry.06 




Save queries 




STARGATE (collaboration components) 


1 


STARGATE (Graphical query enqine) 


Refine 


Query 


1 


Qry.07 




Tag-based searching: tags are given to items that fit the 
description e.g. "yahoo", "voip" (similar to fingerprints in X- 
Keyscore). 

Ability to compile 'common' tag-based searches. Essential to 
the knowledge sharing process and corresponding use at 
scale of end point. 




Experiment 


Query 


2 


Qry.08 


i 


Show me what IP messaging clients have connected to, 
suggests new targets. Query on peer to peer connections 


1 




Refine 


Query 


2 


Qry.09 




Ability to add notes to items/machines/networks/projects to 
support collaboration, notes pushed up the chain. Click on a 




STARGATE (collaboration components) 




LOOKING GLASS 


Experiment 


Query 


2 


Qry.10 




egress ('which boxes can 1 get >1MB 

files from?') 




STARGATE (Shopping basket full functionality) 




EKB information 



Refine 



Refine 



Experiment 



Refine 



Experiment 

Refine 

Experiment 

Refine 

Refine 



Refine 



Refine 



Experiment 



Refine 



Refine 



Refine 

Refine 



Experiment 



Query 

Query 

Query 



Query 



Query 

Query 

Query 

Query 

Query 

Query 

Query 



Query 



Tasking 

Tasking 

Tasking 

Tasking 



Tasking 



Qry-l2jl 

Qry.lsB, 

Qry.14^ 



Qry.l6l 



Q r yi7 ] 

Orv.18' 

Qry.igl 

Qry.21 | 

Qry.22l 

Qry.23| 



Qry.24 



Qry.25l 



Task.04 



Task. 05 



Experiment 



Experiment 



Refine 



Tasking 

Tasking 

Tasking 



Task.06l 



Task.07 



Task.10 



Import data from another source (eg 3rd party filelisting) - for 
'example a CSV file into Eclipse 




GOLDEN EYE 2 


IPull out all applications seen on a box / network 


■ 


STARGATE (Machine survey/summary component) 


STARGATE (Endpoint data characterisation) 


pull out all selectors seen on a box / in docs 
* Telephone numbers, emails, passwords etc retrieved 




STARGATE (Summarisation) 




STARGATE (Graphical query engine) 




■ 


STARGATE (Graphical query engine) 


machines / users / TDIs + latency & tip off 


[STARGATE (Endpoint data characterisation) 


Schedule queries on collected data 




STARGATE (Graphical query enqine) 


Share queries 




STARGATE (collaboration components) 


Ability to push data - i.e. ’ other people found this interesting'/ 
('other people asked for this on this box' / 'query this to find 


■ 


STARGATE (collaboration components) 


STARGATE (Endpoint data characterisation) 


.&<4rie&iW#ftP0u&ies al1 retrieved yanoo data / encryption 




STARGATE (Graphical query engine) 


[other users Flagged items (see knowledge sharing) and star 
rating for items 


J 


STARGATE (collaboration components) 


Query operations by machine types / topic / technologies / 
common properties of operations, projects or machines 


* 


STARGATE (Endpoint data characterisation) 


IsTARGATE (Graphical query enqine) 


The ability to track the unique number assigned to a thumb 1 
drive by computer and then correlate and map this to when 
that same thumb drive is used in a different computer. 






[Volumes of activity across networks 
1 * which boxes are used most often 
1 * which boxes do certain things? 


■ 


[STARGATE (Network visualisation) 


STARGATE (Endpoint data characterisation) 


STARGATE (Graphical query enqine) 




NAC Network Visualisation work 


[By a specific file type 


: 


STARGATE 


STARGATE (Endpoint data characterisation) 


|By those most recently viewed or used 


STARGATE 


STARGATE (Endpoint data characterisation) 


[directory listinqs / file listinqs 


STARGATE 


images / documents as thumbnails only 




STARGATE (Thumbnail viewer) 




STARGATE (Auto conversion of thumbnail files) 




STARGATE 


Inform analysts what is / is not possible on this box / network 
etc. 

* Document what plug ins are available and how they work. 

* What capabilities can be directly tasked by the analyst for 
the relevant box. 

E.g. remote indexing of a box 

* H r, w r nn kl '' iQ if 




STARGATE (Machine survey/summary component) 




STARGATE (network summary pluqin) 




STARGATE (Shoppinq basket full functionality) 




ROCK OPERA remote indexinq 




HIGH NOTE (CNETD tools) 




MUGSHOT 


Tag-based tasking -internet activity profile (e.g. usernames, 
[passwords, B cookies, web browsing and more...) 


- 


STARGATE (Endpoint data characterisation) 


Need for rules (time/volume/file types), conflict resolution, 
permissions 


STARGATE (Task manaqement component) 




EKB information 


Request individual files 


. 


STARGATE (Manual authorisation tool) 

















STARGATE 


Refine 


Tasking 


1 


Task. 11 




Reguest network info e.g. traceroutes, ipconfig, arp - a, 
possible route -print, netmap 




STARGATE (Manual authorisation tool) 




STARGATE (Network visualisation) 


Experiment 


Tasking 


1 


Task. 13 




Mission management: within the EndPoint system - on file 
reguest, generate metrics / stats - TPA can use 




STARGATE (Cheguerboard) 




LOOKING GLASS 


Refine 


Tasking 


2 


Task. 14 




Access to cookie content. These are powerful sigint 
enablers, carrying selector and geolocation information 
amongst other stuff, so rank higher than other webbrowsing 
material. 




STARGATE 


Experiment 


Tasking 


2 


Task. 15 


1 


Tasking by application e.g. "get me all Skype files" 




ISTARGATE (Endpoint data characterisation) 


Experiment 


Tasking 


2 


Task. 16 


Tasking by files containing a string / having particular hash 
values / image hash values 


[STAR GATE (Endpoint data characterisation) 


Refine 


Tasking 


2 


Task.17 


t 


#2Taskinq by files that have changed 


■STARGATE (Endpoint data characterisation) 


Experiment 


Tasking 


2 


Task. 18 


C 


Tasking by geo value - google earth, public ip profiles, 
machine identifiers. 


G 


ISTARGATE (Endpoint data characterisation) 


Evolved MUTANT BROTH 


Experiment 


Tasking 


2 


Task. 19 


r 


Tasking by type media content collection - IM/email text, 
voice, video, ... eg "get me all voice files" 


1 


ISTARGATE (Endpoint data characterisation) 


lAutomated tasking 


Refine 


Tasking 


2 


Task.20 


L 


Tasking by user / author 


■STARGATE (Endpoint data characterisation) 


Refine 


Tasking 


2 


Task.22 




keylog reguests - useful for passwords and the like 




STARGATE (key log viewer) 


Refine 


Tasking 


2 


Task.26 




reguest pings on IP addresses to determine eguipment 
types. 




STARGATE (Manual authorisation tool) 




HIGH NOTE (CNE TD tools) 




MUGSHOT 


Experiment 


Tasking 


2 


Task.28 




Retrieve files based on text content- eg if the document has 
TOP SECRET in it, collect it, don't wait to be asked 




ROCK OPERA remote indexing 




STARGATE (Shopping basket full functionality) 


Experiment 


Tasking 


2 


Task.29 








STARGATE (Screenshot viewer) 




STARGATE (Shopping basket full functionality) 


Refine 


Tasking 


2 


Task.30 




Tasking pre-End Point (gueuing up tasking before the 
endpoint is ready) 




STARGATE (Manual authorisation tool) 


Experiment 


Tasking 


3 


Task.33 




Bulk tasking - ability to apply tasking parameters to the 
network / project; task a target set 




STARGATE (Manual authorisation tool) 




TURBINE (mission applications) 




AC NO mission management 


Experiment 


Tasking 


3 


Task.34 




Effects based tasking, for certain users e.g. ability to change 
registry, watermark files, or even destroy the box? 




STARGATE (Manual authorisation tool) 




New CNE Effects tool 


Experiment 


Tasking 


3 


Task.36 




Task an End Point to send tipping to the EREPO system for 
collection on the active IP of the box. Put a beacon on this 




STARGATE (Manual authorisation tool) 




STARGATE (Alerting Components) 


Refine 


Viewer 


1 


View.Ol 




ftBfrtJR© configure every function of the viewer, so that 
settings are saveable and shareable 




STARGATE (Collaboration components) 




LOOKING GLASS 


Experiment 


Viewer 


1 


View. 02 




ability to view content in foreign script (in the correct order) 




STARGATE ROADMAP iteration 8 




UDAQ2 


Experiment 


Viewer 


1 


View.03 




Across networks we need to be able to distinguish between: 

* a computer on a network seen but not implanted at all 

* computers with first stage implants, second stage 
implants 

* second stage implants but not yet surveyed 

Mookod at bv an analvot 




STARGATE (Network visualisation) 




HIGH NOTE (CNE TD tools) 




LUNAR HORNET (Support for implant visualisation) 




NAC Network Visualisation work 




ICTR (B13B) network mapping 



Experiment 


Viewer 


1 


View.04 




Analytics to produce a summary / profile page of a machine 




STARGATE (Machine survey/summary component) 












as a starting point for the analyst, like CIA QUINCY 




STARGATE (Chequerboard) 


Experiment 


Viewer 


1 


View. 05 


■ fflfl&fft^Pp8tSSW!fmplants/make 




STARGATE (Network visualisation) 








■ recommendations (show me paths with x hops) 




STARGATE (Network summary plugin) 














LUNAR HORNET (Support for implant visualisation) 


Experiment 


Viewer 


1 


View.06 




Visualise and physically / logically map target networks 




STARGATE (Network summary plugin) 














STARGATE (Network visualisation) 
















NAC Network Visualisation work 
















ICTR (B13B) network mapping 


Refine 


Viewer 


1 


View.07 




Machine properties: Domain - which domain(s) is the 
machine in? 




STARGATE (Machine survey/summary component) 


Refine 


Viewer 


1 


View.08 


■ 


Metadata for each file to include file properties (author, last 


■ 


STARGATE (Endpoint Data Characterisation) 










1 


modified by, dates, length, hidden, password protected, 


L 


IROCK OPERA remote indexing 


Refine 


Viewer 


1 


View.09 




mmm and a 

descriptor) 


1 


STARGATE (Endpoint Data Characterisation) 


Refine 


Viewer 


1 


View.10 




Machine properties: IP (public/private) include relevant 
passive access points 




STARGATE (Machine survey/summary component) 


Experiment 


Viewer 


1 


View. 11 


■ 


Model time aspects in visualisation & physical/logical 


■ 


STARGATE (Endpoint Data Characterisation) 










LJ 


[mapping of target networks - ie as machines 




STARGATE (Network visualisation) 


Refine 


Viewer 


1 


View. 12 








STARGATE (Machine survey/summary component) 


Experiment 


Viewer 


1 


View. 14 




see applications on a box. E.g. mail clients, messenger 
clients, Autocad, Google Earth, antivirus/network apps 
VPN.... "what apps on what box?". 




STARGATE (Machine survey/summary component) 


Refine 


Viewer 


1 


View. 16 




Show machine properties (note not ’implant’ properties). 
Allow for the possibility of multiple implants on a single 
machine. 




STARGATE (Machine survey/summary component) 


Experiment 


Viewer 


1 


View. Ill 


■ 


Show overall Project information on Op 


■ 


STARGATE (Task management component) 










- who the target is, requirements, why the target is being 




STARGATE (Machine survey/summary component) 












worked, (e.g. Country/contextual stuff - CP - Dr Evil - 




STARGATE (Project/Op summary view) 












henchman No 1) 

- summary of progress. 

- summary of SIGINT parameters (case notations/si gad) 

- project lead and analysts who've registered an interest 

- linked to Machines under Op and network overview 




FLAME CARPET 2 














Eclipse drill down 














BROADOAK 








J 


■ 




LOOKING GLASS 


Experiment 


Viewer 


1 


View.21 




Need for COIs, need to see current status of users 
compartments. Classification of current view. 


1 


STARGATE (Authorisation components, incll user management) 
















GOLDEN EYE 2 


Refine 


Viewer 


1 


View.22 


i 


[Show results of content searches with paths for content 
| ocation 




UDAQ2 


Experiment 


Viewer 


1 


View.23 




supported ability to view / run native versions of non plain 




STARGATE (registry viewer) 










text material (office docs, jpegs, video etc ALSO registry 




STARGATE ROADMAP iteration 8 












data, system files, shortcuts.) 




FUME CUPBOARD 



Experiment 


Viewer 


1 


View. 24 




tasking history - an ability to see the status of all files and the 1 
user’s and others’ current tasking Requested / Rejected / 
Accepted / Delivered, viewable over an individual 
machine/project/network/SigintUser/SigintTeam/types of 
task/status etc etc (ie by any property of the tasking 
including time) 




STARGATE (Task management component) 


Experiment 


Viewer 


1 


View.25 




Visualise file structures across different machines and 




STARGATE ROADMAP iteration 8 










browse through them. Dirwalks, file listings and other survey 




STARGATE (Graphical query engine) 












results to be included. Subtract what's the same (or what's 




STARGATE (Endpoint Data Characterisation) 












different) 




STARGATE (machine survey/summary component) 


refine 


Viewer 


2 


View.26 


■ahility to click on email account and look at associated web 1 




STARGATE (Endpoint Data Characterisation) 










Mbrowsing (algorithm to sessionise web sessions to email 




, PASSIVE/ACTIVE convergence 










^accounts > user) 




Analytics 


Refine 


Viewer 


2 


View. 28 




Ability to see who has viewed the network / project / machine 




LOOKING GLASS 












/ individual files (including self!) 




UDAQ2 


Refine 


Viewer 


2 


View. 29 




An ability to add and amend comments to the machine and 
to label it with values as above. 




LOOKING GLASS 


Refine 


Viewer 


2 


View.30 




Applications installed and versions/settinqs 




STARGATE (Machine survey/summary component) 


Experiment 


Viewer 


2 


View.31 


■Be able to araphicallv represent how a computer is 




STARGATE (Network visualisation) 








Mcommunicating within the network, as well as outside. 




STARGATE (Network summary pluqin) 










* Which ports are they using? 




Converged analytics 










* Are they transferring information via FTP? 




STARGATE (Machine survey/summary component) 


Experiment 


Viewer 


2 


View.32 




_ Hit; Li ley usii iu ii isiaiii 'viessdiuii iu auuiiLauujJb uvei 
Capability ta compare machines across a H project/across 




STARGATE (Machine survey/summary component) 










CNE 




STARGATE (Endpoint Data Characterisation) 


Refine 


Viewer 


2 


View.33 


■click on email account to see other computers this account 


"1 


STARGATE (Endpoint Data Characterisation) 










|has been seen on in this particular network / other CNE 




STARGATE (Network visualisation) 


Experiment 


Viewer 


2 


View.34 


(cMj& r ri8flfl§rks - different operations (eg NSA, 




STARGATE (Network visualisation) 








■ 


lEREPO, RUFFLE) may have access at different points of a 
(network 




STARGATE (Network summary plugin) 










Z 


STARGATE (Endpoint Data Characterisation) 


Refine 


Viewer 


2 


View.35 




Connecting my network internal to external / CNE to Passive 




GLOBAL SURGE 


Refine 


Viewer 


2 


View. 36 




Connection Logs to the network/internet, by type as well as 
time for machine & target (eg POP3 logon times, dialup 
connection times wifi ssids) 


j 




Refine 


Viewer 


2 


View.37 




Display address book and signature values from apps on 
machine (eg outlook) 




STARGATE (E-mail visualisation) 


Refine 


Viewer 


2 


View.38 




Display messaging activity from IM clients 


Z) 


STARGATE (Endpoint Data Characterisation) 














IlOOKING GLASS 


Refine 


Viewer 


2 


View. 39 




Compare machines across a project/CNE - files 
sent/received 


J 




Experiment 


Viewer 


2 


View. 40 




find where the same values are present elsewhere (in 


n 




(STARGATE (Graphical query enqine) 










metadata/content/other accesses) 


■ 


ISTARGATE (Endpoint Data Characterisation) 



Refine 


Viewer 


2 


View.42 




highlight where specific application/app type files are stored 1 
(e.g. push out all Skype/Paltalk/MSN/Outlook 
files/communications files) 


i 




Refine 


Viewer 


2 


View. 43 




Implant type, installed plugins, and potential plugins 
(machine level view) 




EKB information 


Refine 


Viewer 


2 


View. 44 




Latencies (traceroutes) 




HIGH NOTE (CNE TD tools) 




STARGATE (Network visualisation) 




NAC Network Visualisation work 


Refine 


Viewer 


2 


View.45 




list files on desktop 


: 




Refine 


Viewer 


2 


View. 46 




list of any identifiers found and where they were pulled from 
on the machine (eg. Rasphone.pbk) 


STARGATE (Machine survey/summary component) 


STARGATE (Endpoint Data Characterisation) 
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list of the Nethood Folder 
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list profiles/accounts on box 


■ 




Refine 


Viewer 


2 


View.49 
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Log of implant callbacks 
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View.50 


■model contact data (best merged with other accesses - see 1 
^convergence) 
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STARGATE (Endpoint Data Characterisation) 
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View.52 


■model internet activity - cookie exchanges and other content 1 
Has well as a metadata summary 




STARGATE (Endpoint Data Characterisation) 
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User centric view 
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Activity modelling 
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View.53| 


HlVIodel indexing of collected files on/across machines 




Entity extraction 


Refine 


Viewer 


2 


View.54 


■ms info command properties and similar. 
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SLIPSTREAM 
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■oDtion to view only retrieved files and their location 
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View. 56 




play back / visualise user/machine/network activity (temporal 
modelling) 
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STARGATE (Machine survey/summary component) 
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View.57l 
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registry viewer analysis 




STARGATE (registry viewer) 






STARGATE (Daredevil remote forensics plugin) 
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View.58 


■See a model of where value has been aained from similar 
Hmachines (Amazon shopping model) - trend analysis 




STARGATE (collaboration components) 
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View.59 




See project lead and analysts who have registered an 
interest. Register an interest for self/section 
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STARGATE (Alerting Components) 
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View.60 




show machines accessed from other machines 




STARGATE (machine survey/summary component) 
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Show where files have changed since being viewed. 




STARGATE (Chequerboard) 


Refine 


Viewer 


2 


View.62 




show where recently opened/created documents are stored 
(color coding if file has changed since last accessed) 




STARGATE ROADMAP iteration 2 




STARGATE (Graphical query engine) 
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View. 64 




Machine properties: Type 

(Desktop/router/server/switch/wireless bridge/firewall/VSAT 
modem etc) 




STARGATE (Machine survey/summary component) 
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NAC Network Visualisation work 
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user logs (who logged on when) 




STARGATE (machine survey/summary component) 
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View. 67 


Visualise the status of CNE operations, based on information 
held within the End Point System. 




STARGATE (Cheguerboard) 
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View.68 


ability to display ’pattern of life' based on presence data, 
'social' networks to overlay the physical and logical network. 
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View.69 


ability to synchronise data - ability to convert times on target 
data to Zulu/correct time if settings on target box/network are 
wrong. 
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Ability to view collected items that have been reported and to 
label items as reported. 
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View. 71 


click on email account / Instant Messaging account to see list 
of buddies 
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click on email account to see list of emails received / Subject 
/ From: 
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View.73r 


[highlight files in suspicious places, eg This is supposed to be 
|a system file but is in the wrong place. 
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View.74^ 


■highlight whether this is a valid 'system 7 file. Helpful in telling 
Banalyst what is worth tasking. 
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View.75 1 


■ How access was gained (MITM, content based -with email 
used, QUANTUM etc) 


STARGATE (Machine survey/summary component) 


Refine 


Viewer 


3 


View.76 1 


1 links to glossary of CNE/TAO/other glossary, breakdown of 
| plugin options and definitions 




D1.3 (support provision of STARGATE training) 
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| list of email accounts to passwords 
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STARGATE (E-maill visualisation) 
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View.78 


MAC/seriall numbers & Equipment description - e.g. what is 
"box”? provide information on capability / what are OS 
properties 




STARGATE (Machine survey/summary component) 
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Radio properties of box (eq wifi or vsat modem) 




STARGATE (Machine survey/summary component) 



